China's public security bureaus have allegedly installed the spyware on confiscated phones, according to research from cybersecurity vendor Lookout.

Think twice about handing over your phone to Chinese police. Law enforcement in the country appears to be installing mobile spyware on confiscated devices.

Cybersecurity vendor Lookout discovered a new spyware strain, dubbed EagleMsgSpy, that targets Android phones and has avoided scrutiny until now. The malicious program stands out because it'll connect to IP addresses for public security bureaus in China, an indication that EagleMsgSpy operates as a state surveillance tool.

In a report, Lookout said it obtained "several variants" of the spyware, which has been in operation since at least 2017. The company's examination of the spyware samples shows that EagleMsgSpy can collect call logs, SMS chats, and messages from WhatsApp, WeChat, and Telegram, in addition to capturing screenshots and audio recordings from the device.

"Lookout researchers have observed an evolution in the sophistication of the use of obfuscation and storage of encrypted keys over time," the report added. "This indicates that this surveillanceware is an actively maintained product whose creators make continuous efforts to protect it from discovery and analysis."

The data EagleMsgSpy secretly collects will be password-protected and sent to a command and control server. Lookout managed to access large parts of the source code powering the servers, which revealed that EagleMsgSpy may also have been designed to target iOS devices.

The investigation uncovered a help document for the spyware within the server, which described EagleMsgSpy as a "comprehensive mobile phone judicial monitoring product." An IP address for one of the spyware servers also belonged to a private Chinese company called Wuhan Chinasoft Token Information Technology Co., Ltd, the likely developer.

Fortunately, EagleMsgSpy doesn't appear to spread through some unknown Android vulnerability or via fake apps. Instead, it requires physical access to an Android phone for it to be installed. One of the uncovered help documents also notes that spyware can be installed through a QR code or via a USB cable connected to an unlocked phone.

Lookout adds that EagleMsgSpy is likely "just one of many contracted mobile surveillance tools used by law enforcement throughout mainland China," citing Chinese government contracts that have been posted online.